aws-clilisted

# AWS CLI Safety-first wrapper for AWS CLI v2 (`aws`). Every command is classified by risk tier BEFORE execution — full AWS control, w/ anything irreversible, breaking, or cost-incurring gated behind explicit `AskUserQuestion` confirmation. Blast radius on AWS is an entire company's infra: wrong account/region/flag can destroy data, break prod, or spend real money. ## When to Use - Run/inspect any AWS service: EC2, S3, IAM, Lambda, RDS, DynamoDB, CloudFormation, Route 53, ECS/EKS, CloudFront, SQS/SNS, CloudWatch, KMS, Secrets Manager, … - Audit resources, costs, security posture; tail logs; query w/ `--query` (JMESPath) - Deploy/update infra, manage env config, rotate creds, debug failing calls - Set up auth: profiles, IAM Identity Center (SSO), assume-role, MFA ## Prerequisites (run once per session) ```bash bash scripts/aws_preflight.sh [profile] ``` Reports version, profiles, region, and the **active identity** (`sts get-caller-identity`). NEVER run a write op w/o knowing which account+region you're pointed at. No profiles configured → guide setup via [references/patterns.md](references/patterns.md) (keys vs SSO). ## Safety Model | Tier | Action Required | Examples | |------|----------------|----------| | **Safe** | Execute immediately | `describe-*`, `get-*`, `list-*`, `s3 ls`, `sts get-caller-identity`, `logs tail`, any `--dry-run` | | **Write** | Inform user, then execute | `create-*`, `put-*`, `tag-*`, `lambda update-function-code`, `s3 cp/sync` | | **Destructi